Skip to content

Improving Roles with Role Insights

Role Insights, part of Access Modeling, provides you with a greater understanding of your organization's role program, informs you of automatically discovered roles, suggests changes to your existing roles, and provides access to saved role discovery sessions and draft roles.

Role Insights regularly looks for updates, offers new role insights, and automatically discovers roles as access in your organization changes.

Role Insights can be accessed by Admins and users with the role admin user level.

You can explore the following role insights and use them to improve the security of your role program:

  • Automatically discovered potential roles

  • Your progress toward role program benchmarks for best security practices, such as the principle of least privilege

  • Suggested entitlement additions for your current roles

  • The percentage of identities with a role that also hold a suggested entitlement

  • Lists of specific identities that would be impacted by the suggested role change

Role Insights Prerequisites

For Role Insights to be able to provide insights and suggestions for existing roles, your organization must have a basic role model configured in Identity Security Cloud. There must be roles configured that include entitlements and are assigned to identities.

Role Insights Process Overview

The process is described in detail in the sections that follow.

  1. Launch Role Insights.

  2. Explore any automatically discovered roles and consider creating a new role.

  3. Explore role insights and export the suggested updates to implement manually in your existing roles.

Understanding Role Insights

SailPoint automatically discovers potential roles with entitlement-based access similarities among identities.

Entitlement updates for roles are determined by SailPoint algorithms based on the following criteria:

  1. The organization must have entitlements that do not belong to any role. These kinds of entitlements are usually assigned directly to individual identities.

  2. A candidate list of entitlements is made that are at least 80% popular among identities in a role, but are not defined in the role. SailPoint Services can configure the percent popularity upon request.

  3. The candidate list is reduced to include only entitlements with sources in the role.

The remaining entitlements are presented as role insights for your consideration.

Exploring Role Insights

In the SailPoint interface, select the Role Insights dashboard panel or navigate to Admin > Access Model > Role Insights.

The Role Insights page provides a pathway to automatically discovered roles and an overview of your role program and suggested updates. It also includes a Discover Roles button that launches Role Discovery where you can define a group of identities and discover new potential roles. For more information, refer to Discovering Roles.

The top of the Role Insights page displays the status of essential benchmarks that measure the progress of your role program:

  • Auto-Discovered Roles - Potential roles automatically discovered by SailPoint with entitlement-based similarities among identities.

  • Access Included in Roles - The percentage of all access in your organization that is included in roles.

  • Identities with Access from Roles - The percentage of identities in your organization that have access from roles.

The goal percentages listed for each benchmark let you know how you are progressing in your development of a more secure role program. The goal percentages are set by SailPoint based on best practices and are there for general guidance.

In the list of Roles with Entitlement Updates, you can browse the roles with entitlements updates, or search role names or owners that start with a specific string. Numerical columns on the Role Insights page can be sorted by selecting or toggling through the sort icons: Unsorted Unsort column., Descending Sort descending., and Ascending Sort ascending..

The Impacted Identities column shows how many identities would be affected if you decide to add the entitlement to the role. If it shows 0 impacted identities, all of the identities in the role already have the suggested entitlement through other means, so the suggested entitlement should be added to the role.

Exploring Automatically Discovered Potential Roles

SailPoint automatically discovers new potential roles based on entitlement-based similarities among identities. This simplifies creating and maintaining your access model as follows:

  • Organizations new to SailPoint can quickly and easily build new roles and develop their initial access model starting with automatically discovered roles.
  • As access in your organization changes, SailPoint automatically discovers potential roles that can improve your access model.

On the Role Insights page, the Auto-Discovered Roles tile displays the number of potential roles SailPoint has discovered for your organization as of the date and time stamp. If there are no potential roles discovered, it means your role program currently has sufficient high-impact roles in use.

Select View Potential Roles to view the list of automatically discovered potential roles.

Use the search bar to query across all identity attributes and narrow down the potential role list. For example, searching on "Miami" will return potential roles with any attribute that contains "Miami", such as location, jobtype, or an identity with that name.

Select a potential role to explore its composition, entitlements, and identities. You can work with automatically discovered potential roles the same as potential roles discovered through role discovery, such as:

Exploring Entitlement Updates

Complete the following steps to explore recommended entitlement updates for your existing roles:

  1. On the Role Insights page, select View for the role you want to explore.

    The Updates for Role_Name page lists entitlements on two tabs:

    • Entitlements to Add - This tab lists suggested entitlements that are not currently in the role. A suggested entitlement is already held by 80% of identities that hold the role, but it is not part of the role.

    • Current Entitlements - This tab lists all of the entitlements currently included in the role.

    You can browse the entitlements, or search entitlement names and descriptions that start with a specific string. You can also select the Column Chooser to customize what columns are visible, and select Export to download the suggested entitlement additions to a CSV file.

  2. On the Entitlements to Add tab, select a suggested entitlement to launch the Identity Overview page and see how it affects identities with the role.

    The Identity Overview page lists identities on two tabs:

    • Impacted Identities - This tab lists the identities with the role that currently do not have the suggested entitlement. These are the identities that will be impacted if you decide to add the suggested entitlement to the role.

    • Identities with Entitlement - This tab lists the identities with the role that currently also have the suggested entitlement.

    You can browse the identities or search display names for a specific string. You can also select the Column Chooser to customize what columns are visible.

Exporting Role Insights

After examining insights into your organization's roles and the suggested entitlement updates, you may decide to make some entitlement changes to your roles.

  1. On the Updates for Role_Name page, select Export to download suggested entitlement additions for the role to a CSV file.

    Repeat this step to export suggested entitlement additions for each role that you would like to update.

  2. Use the exported entitlement additions to manually update your roles.

You can check Role Insights regularly for new insights into how to improve your roles as access in your organization changes.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.